Security in Cloud Workshop

AWS Security Essentials
Herman Mak, Solutions Architect
March 8, 2019
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Schedule
1. AWS Security Model

2. AWS Compliance and Security
3. AWS Security Technologies and Services
Security is Job Zero at AWS
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
Familiar Security Validated and driven by Benefits all customers

Model customers’ security experts
AWS Shared Responsibility Model: for Infrastructure Services
Customer IAM
Customer content
Platform & Applications Management Managed by
Mgmt
Protocols
Customers
Operating System, Network & Firewall Configuration
Client-Side Data encryption Server-Side Encryption Network Traffic Protection
AWS IAM
& Data Integrity Authentication Fire System and/or Data Encryption / Integrity / Identity
API
Optional – Opaque data: 1’s and 0’s (in transit/at rest) Calls
AWS Foundation Services

Managed by
API Endpoints
Compute Storage Database Networking
Availability Zones
AWS Global Edge Locations
Infrastructure
Regions
Infrastructure Service Example – EC2
• Customer Data • High Availability, Scaling
Customers
• Customer Application • Instance Management

• Operating System • Data Protection (Transit, Rest, Backup)
• Network & Firewall • AWS IAM (Users, Groups, Roles, Policies)
• Customer IAM (Corporate Directory
Service)
RESPONSIBILITIES
• Foundation Services — Networking, Compute, Storage
AWS
• AWS Global Infrastructure
• AWS API Endpoints
AWS Shared Responsibility Model:for Container Services
Managed by
Customers
Customer content
Customer IAM AWS IAM

Client-Side Data encryption Network Traffic Protection
Configuration
Firewall
Mgmt
& Data Integrity Authentication Encryption / Integrity / Identity
Protocols
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
API
Calls
Platform & Applications Management
Operating System, Network Configuration
API Endpoints
Managed by
Availability Zones
Infrastructure
Regions
Infrastructure Service Example – RDS
• Customer Data • High Availability

Customers
• Firewall (VPC) • Data Protection (Transit, Rest,

• Customer IAM (DB Users, Table Backup)
Permissions) • Scaling
• AWS IAM (Users, Groups, Roles,
Policies)
RESPONSIBILITIES
• Foundational Services – • AWS API Endpoints

Networking, Compute, Storage
AWS
• Operating System
• AWS Global Infrastructure • Platform / Application
AWS Shared Responsibility Model:
for Abstract Services Managed by
Customers
Customer content
AWS IAM
Client-Side Data Encryption API Calls
(optional) & Data Integrity Authentication
Opaque Data: 1’s and 0’s Data Protection by the Platform

Protection of Data at Rest
(in flight / at rest) Network Traffic Protection by the Platform

Protection of Data at in Transit
Platform & Applications Management
API Endpoints
Operating System, Network & Firewall Configuration Managed by
Availability Zones
Infrastructure
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Regions
Infrastructure Service Example – S3
• Customer Data
Customers
• Data Protection (Rest – CSE)

• AWS IAM (Users, Groups, Roles, Policies)
• Foundational Services • Platform / Application

• AWS Global Infrastructure • Data Protection (Rest - SSE, Transit)
AWS
• AWS API Endpoints • High Availability / Scaling
• Operating System
Summary of Customer Responsibility in the Cloud
Infrastructure Container Abstract

Services Services Services
Data Data Data
Customer IAM Customer IAM AWS IAM
AWS IAM AWS IAM
Applications Firewall
Operating System
Networking/Firewall
What is Identity Management?
“…the management of individual principals, their

authentication, authorization, and privileges
…with the goal of increasing security and productivity
while decreasing cost, downtime and repetitive tasks.”
(Wikipedia)
AWS Principals
Account Owner ID (Root Account)

• Access to all subscribed services.
• Access to billing.
• Access to console and APIs.
• Access to Customer Support.
IAM Users, Groups and Roles

• Access to specific services.
• Access to console and/or APIs.
• Access to Customer Support (Business and Enterprise).
Temporary Security Credentials

• Access to specific services.
• Access to console and/or APIs.
AWS Identity and Access Management (IAM)
Securely control access to AWS services and resources for your users.
Username/ Manage groups Centralized Access

User of users Control
Optional Configurations:
• Password for console access.
• Policies for controlling access AWS APIs.
• Two methods to sign API calls:
• X.509 certificate
• Access/Secret Keys
• Multi-factor Authentication (MFA)
Assurance Programs
AWS Artifacts - Compliance reports
Provides customers with an easier process to obtain AWS compliance

reports with self-service, on-demand access via the console
AWS Responsibilities
Physical Security of Data Center
• Amazon has been building large-scale data centers for many years.
• Important attributes:
– Non-descript facilities
– Robust perimeter controls
– Strictly controlled physical access
– Two or more levels of two-factor authentication
• Controlled, need-based access.
• All access is logged and reviewed.
• Separation of Duties
– Employees with physical access don’t have logical privileges.
One last thing about data sanitization
To This
From this
AWS Global Infrastructure
20 Regions – 60 Availability Zones – 160 Points of presence Regions and Availability Zones
US East China
N. Virginia (6) Beijing (2)
Ohio (3) Ningxia (3)
US West Europe
N. California (3) Frankfurt (3)
Oregon (3) Ireland (3)
Asia Pacific London (3)
Mumbai (2) Paris (3)
Seoul (2) Stockholm (3)
Singapore (3) South America
Sydney (3) São Paulo (3)
Tokyo (4) GovCloud (US)
Osaka-Local (1) US-East (3)
Canada US-West (3)
Central (2)
New Region (coming soon)

Bahrain, Cape Town, Hong Kong SAR, Milan
VPC
VPC = Virtual Private Cloud
Your virtual data center on AWS
Block of IPs that define your
network (typically RFC 1918)
Can span multiple AZs
Availability Zone A Availability Zone B
Default VPCs
VPC CIDR: 10.1.0.0 /16
VPC subnet
Range of IPs in your VPC IP
range
Lives inside an AZ
10.1.10.0/24
Can provide security at the
10.1.1.0/24
subnet or network level with
Subnet
Availability Zone A
Subnet
access control lists (ACLs)
Availability Zone B
VPC CIDR: 10.1.0.0 /16

Can route at the subnet level
Default VPC subnets
Internet gateway
AWS Public Internet
API Endpoints
Internet Gateway
IGW = Internet gateway

Enables your instances to
10.1.1.0/24 10.1.10.0/24
connect to the Internet
Subnet
Availability Zone A
Subnet
Default VPC includes an IGW
Availability Zone B
VPC CIDR: 10.1.0.0 /16
Route table
AWS Public
API Endpoints
Internet Contains a set of rules, called
routes, that are used to determine
where network traffic is directed
Internet Gateway
Subnets have one route table

10.1.10.0/24
Controls routing for the subnet to
10.1.1.0/24
the IGW and VGW
Subnet
A route table can belong to many
Subnet
Availability Zone A Availability Zone B
Route Table VPC CIDR: 10.1.0.0 /16

subnets
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw
VGW and VPN connection
VPN over
the Internet
Customer Gateway
Internal
User
Corporate Data Center
VGW = virtual private gateway

VGW
A VPG is the logical construct

10.1.1.0/24 10.1.10.0/24
representing the VPN endpoint to
terminate connections from your
Subnet
Availability Zone A
Subnet
on-premises network
Availability Zone B
VPC CIDR: 10.1.0.0 /16 It is also the endpoint for Direct

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Connect
Network access control list VPC Subnet with ACL
NACL = network access control

list
An optional layer of security that
acts as a firewall for a subnet
EC2 EC2
VPC Subnet with ACL VPC Subnet with ACL

A numbered list of rules that we
Availability Zone A Availability Zone B evaluate in order
VPC CIDR: 10.1.0.0 /16 ACLs are stateless and have
separate inbound and outbound
rules
Security group Security Group
A security group acts as a virtual

firewall for your EC2 instance
An EC2 instance can have up to
EC2 EC2
five security groups
Subnet: 10.1.1.0/24 Subnet: 10.1.10.0/24 Security groups act at the
Availability Zone A Availability Zone B instance level, not the subnet
VPC CIDR: 10.1.0.0 /16 level
Security groups are stateful
VPC security VPC 10.1.0.0/16
controls EC2
EC2 EC2
Instance 1 Instance 2 Instance 3
10.1.1.6 10.1.1.7 10.1.10.20
Virtual Router
Route Route
Table Table
Internet Virtual Private

Gateway Gateway
Security Groups = stateful firewall
In English: Hosts in this group are reachable

from the Internet on port 80 (HTTP)
Multi-tier architecture using Security Groups
Web Layer
Application Layer
Database Layer
Only 80 and 443 open

to Internet
Open access only to Web

Layer and ssh open to
management bastion Amazon EC2
Security Group
By default, all ports are Firewall
closed
Network ACLs = Stateless Firewall Rules
Can be applied on a subnet basis
English translation: Allow all traffic in
What is DDoS Attack?
Distributed Denial Of Service
Types of DDoS attacks
Application-layer DDoS attacks
Use well-formed but malicious requests to

circumvent mitigation and consume
application resources (e.g., HTTP GET, DNS
query floods)
State-exhaustion DDoS attacks
Abuse protocols to stress systems like

firewalls, IPS, or load balancers (e.g., TCP
SYN flood)
Volumetric DDoS attacks
Congest networks by flooding them with more

traffic than they are able to handle (e.g., UDP
reflection attacks)
AWS Shield Standard protections
Layer 3/4 protection Layer 7 protection
ü Protect from most common attacks ü AWS WAF for Layer 7 DDoS attack
(SYN/UDP Floods, Reflection Attacks, mitigation
etc.)
ü Self-service & pay-as-you-go
ü Automatically detect & mitigate
ü Built into AWS services
AWS Shield Advanced
Always-on monitoring &

detection
AWS bill protection Advanced L3/4 & L7 DDoS

protection
24x7 access to DDoS Attack notification and

Response Team reporting
AWS WAF – Layer 7 application protection
IP reputation HTTP floods Scanners and

lists probes
Bots and Cross-site

SQL injection
scrapers scripting
AWS WAF Security Automations
https://aws.amazon.com/answers/security/aws-waf-security-automations/
AWS Trusted Advisor – Real time guidance
Security configuration checks of your AWS environment:

• Open ports
• Unrestricted access
• CloudTrail Logging
• S3 Bucket Permissions
• Multi-factor auth
• Password Policy
• DB Access Risk
• DNS Records
• Load Balancer config
AWS Trusted Advisor Demo
CloudWatch Logs – Centralization of logs
CloudWatch Logs provides a centralized service to

absorb, store, analyze, and take action on a variety
of log sources.
• Operating system logs
• Webserver logs
• Application logs
Use cases
• Centralized log store
• Prevent log modification on instances
• Notifications on events
VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
Interface Source IP Source port Protocol Packets
AWS Accept or
account reject
Destination IP Destination port Bytes Start/end time
VPC Flow Logs – CloudWatch Alarms
VPC Flow Logs
• Amazon
Elasticsearch
Service
• Amazon
CloudWatch
Logs
subscriptions
Full visibility and logging features
Full visibility of your AWS environment

• CloudTrail will record access to API calls and save logs in your S3
buckets, no matter how those API calls were made
Who did what and when and from where (IP address)
• CloudTrail/Config support for many AWS services and growing -
includes EC2, EBS, VPC, RDS, IAM and RedShift
• Edge/CDN, WAF, ELB,VPC/Network FlowLogs
• Easily Aggregate all log information
• CloudWatch Alarms
Out of the box integration with log analysis tools from AWS
partners including Splunk, AlertLogic and SumoLogic
AWS CloudTrail example
Automate actions on events
Amazon Amazon
CloudWatch Lambda
Amazon SNS
AWS Config
Managed service for tracking AWS inventory and configuration, and configuration
change notification.
AWS Config
EC2 EBS
VPC CloudTrail
Security Audit Change

Troubleshooting Discovery
Analysis Compliance Management
AWS Config Demo
Data Encryption At-Rest
AWS CloudHSM AWS Key Management Service
Key handling questions for any solution
Where are keys generated and stored?

• Hardware you own?
• Hardware the cloud provider owns?
Where are keys used?

• Client software you control?
• Server software the cloud provider controls?
Who can use the keys?

• Users and applications that have permissions?
• Cloud provider applications you give permissions?
What assurances are there for proper security around keys?
Options for using encryption in AWS
Client-side encryption
• You encrypt your data before data submitted to service
• You supply encryption keys OR use keys in your AWS account
• Available clients:
• S3, EMR File System (EMRFS), DynamoDB, AWS Encryption SDK
Server-side encryption
• AWS encrypts data on your behalf after data is received by service
• 19 integrated services including S3, Snowball, EBS, RDS, Amazon Redshift, WorkSpaces,
Amazon Kinesis Firehose, CloudTrail
AWS Key Management Service (AWS KMS)
• Managed service that simplifies creation, control, rotation,

deletion, and use of encryption keys in your applications
• Integrated with many AWS services for server-side encryption
• Integrated with AWS service clients/SDKs
• S3, EMRFS, DynamoDB, AWS Encryption SDK
• Integrated with CloudTrail to provide auditable logs of key usage
for regulatory and compliance activities
• Available in all commercial regions except China
AWS KMS is fully integrated with AWS IAM
AWS KMS integration with AWS services
* Supports only AWS managed KMS keys

Bring Your Own Key
Creates
Create customer master key
(CMK) container
KMS Empty CMK container
with unique key ID
Download
Download a public
wrapping key
RSA public key
KMS
Export your key material Export

encrypted under the public
wrapping key Your key Your 256-bit key
management material encrypted
infrastructure under KMS public key
Import encrypted key material Import

under the KMS CMK key ID;
set optional expiration period
Your key material
protected in KMS
AWS CloudHSM
• Dedicated access to HSM appliances

• HSMs located in AWS data centers
• Managed and monitored by AWS
• Only you have access to your keys AWS administrator—
Manages the appliance
and operations on the keys
• HSMs are inside your Amazon VPC,
isolated from the rest of the network You—Control keys and
CloudHSM crypto operations
• Setup right from the console
Amazon VPC
AWS CloudHSM
Available in multiple AWS regions worldwide

Compliance
• Included in AWS PCI DSS and SOC compliance packages
• FIPS 140-2 level 3 (AWS CloudHSM)
• FIPS 140-2 level 2 (AWS CloudHSM Classic)
Typical use cases
• Electronic invoicing and document signing
• Use with Amazon Redshift and RDS for Oracle
• Integrate with third-party software (Oracle, Microsoft SQL Server,
Apache, SafeNet, OpenSSL)
• Build your own custom applications
Key handling solutions from AWS Marketplace
• Browse, test, and buy encryption and key management solutions

• Pay by the hour, monthly, or annually
• Software fees added to AWS bill
• Bring Your Own License
AWS Marketplace Security Partners
Identity and Access Configuration & Logs and

Infrastructure security control Vulnerability Analysis monitoring
Protección de
datos
AWS Marketplace Demo
Thank You
Herman Mak
Solutions Architect
Twitter: @hermanmakHK
Github: hermanmak
Submit your Feedback to get
25$ AWS Credit

Security in Cloud Workshop

Uploaded by

Copyright:

Available Formats

You might also like

Security in Cloud Workshop

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security in Cloud Workshop

Uploaded by

Copyright:

Available Formats

AWS Security Essentials

Herman Mak, Solutions Architect

1. AWS Security Model

PEOPLE & PROCESS

Familiar Security Validated and driven by Benefits all customers

AWS Foundation Services

• Customer Application • Instance Management

• Foundation Services — Networking, Compute, Storage

Customer IAM AWS IAM

Operating System, Network Configuration

• Customer Data • High Availability

• Firewall (VPC) • Data Protection (Transit, Rest,

• Foundational Services – • AWS API Endpoints

Opaque Data: 1’s and 0’s Data Protection by the Platform

(in flight / at rest) Network Traffic Protection by the Platform

Platform & Applications Management

• Data Protection (Rest – CSE)

• Foundational Services • Platform / Application

Infrastructure Container Abstract

Data Data Data

Customer IAM Customer IAM AWS IAM

AWS IAM AWS IAM

“…the management of individual principals, their

Account Owner ID (Root Account)

IAM Users, Groups and Roles

Temporary Security Credentials

Username/ Manage groups Centralized Access

Provides customers with an easier process to obtain AWS compliance

Physical Security of Data Center

New Region (coming soon)

VPC CIDR: 10.1.0.0 /16

IGW = Internet gateway

VPC CIDR: 10.1.0.0 /16

Subnets have one route table

Route Table VPC CIDR: 10.1.0.0 /16

VGW = virtual private gateway

A VPG is the logical construct

VPC CIDR: 10.1.0.0 /16 It is also the endpoint for Direct

NACL = network access control

VPC Subnet with ACL VPC Subnet with ACL

A security group acts as a virtual

Internet Virtual Private

In English: Hosts in this group are reachable

Only 80 and 443 open

Open access only to Web

Can be applied on a subnet basis

English translation: Allow all traffic in

Distributed Denial Of Service

Use well-formed but malicious requests to

State-exhaustion DDoS attacks

Abuse protocols to stress systems like

Volumetric DDoS attacks

Congest networks by flooding them with more

Layer 3/4 protection Layer 7 protection

ü Built into AWS services

Always-on monitoring &

AWS bill protection Advanced L3/4 & L7 DDoS

24x7 access to DDoS Attack notification and